Work Life
Recruitment systems and competence databases
It is common for employers to process personal data when recruiting staff. The same applies when using competence databases.
Use of Recruitment systems and competence databases
It is important to remember not to process more personal data than necessary for the purpose. In addition, it is important to delete or anonymize the personal data when they are no longer necessary to process for the purpose for which they were collected. In some cases, it may also be appropriate to carry out a data protection impact assessment (DPIA) before the intended processing is carried out.
Legal basis for the processing of personal data in connection with recruitment
The legal basis that an employer can use for the processing of personal data in the context of recruitment differs, depending on whether the employer is a private company or a public authority.
Legitimate interest
It is common to use the legal basis legitimate interest (Article 6(1)(f) GDPR) when an employer recruits staff, if it is a private company. Legitimate interest means that the company has weighed up the interests and concluded that their interest in carrying out the processing outweighs the interests and rights of the data subject.
Public interest
If the employer is a public authority, they usually use the legal basis of the exercise of official authority and tasks of public interest (Article 6(1)(e) GDPR). Public authorities cannot use legitimate interest as a legal basis in the exercise of their public powers.
What legal basis for the processing of personal data in connection with recruitment should be avoided?
Consent (Article 6(1)(a) GDPR) as the legal basis for the processing of personal data in connection with recruitment should be avoided. It is not always an appropriate or permitted legal basis to support a personal data processing on. This applies, inter alia, where the relationship of power between the data subject and the controller is not equal. For example, between an employer and a jobseeker, or between an authority and citizens. However, it may be permitted and appropriate in some cases, such as if the employee wants to take a personality test.
The data subjects shall be informed about the employers processing of their personal data
An employer shall inform data subjects about the processing of their personal data. In this case, the employees of the employer are to be regarded as a category of data subjects under the GDPR.
For example, employees have the right to know why the employer processes their personal data and on what legal basis the employer supports the processing. In addition, they must be informed about their rights under the GDPR.
When shall the employer provide the information about the processing to the employees?
The employer must provide the employees information about its processing of their personal data. However, the timeframe regarding this depends on the source of the personal data.
Article 13 of the GDPR applies, if the employer gets access to the personal data from the employee directly. In such cases, the employer shall inform the employees about the processing at the latest when the personal data is being collected.
Article 14 of the GDPR applies, if the employer instead collects the personal data from another source than the data subject directly. In such cases, the information shall be provided within a reasonable period of time, but not later than one month after the processing has taken place. However, where the personal data are to be used for communication with the data subject, the information shall be provided at the latest at the time of the first communication with the data subject. Or if the employer intends to make a disclosure to another recipient, the information about the processing shall be provided at the latest when the personal data are disclosed for the first time.
Use of recruitment systems when recruiting new staff to the company
It is common for employers to use a recruitment system when recruiting new staff to the company. This applies to both internal and external recruitment. Please note that it is not permitted to process more personal data than necessary for the purpose of the processing. In other words, it is not allowed to process more personal data than necessary to be able to make the assessment of whether a jobseeker is suitable for the service or not.
Is it allowed to process sensitive information in connection with recruitment?
Companies should bear in mind not to have too far-reaching processing for the specific service. For example, the employer should avoid processing privacy-sensitive information. The company should also avoid processing of sensitive personal data under the GDPR when recruiting, but there are exceptions.
- For example, it may be relevant for a food production plant to know if employees have any relevant allergies. Information about allergies is sensitive personal data according to Article 9 of the GDPR, as it constitutes information about an individual’s health.
If a job involves a high level of responsibility, such as in financial or security terms, it may be more appropriate to request more comprehensive information about the jobseekers, than if the person will work in customer service with simpler administrative tasks.
Is there a time limit for the processing of personal data in the context of recruitment?
According to the general rule of the GDPR, companies must delete personal data when it is no longer necessary for the purpose for which it was collected. However, the company may need to save certain data longer, if this is required to comply with another applicable legislation.
- For example, companies tend to have to keep invoices and receipts for a certain number of years according to their national accounting legislation.
When should personal data collected through the recruitment process be deleted?
When an employer is going to recruit a person, they usually process personal data such as names, notes from the interview, any references, etc. The personal data must be deleted or anonymized when they are no longer necessary for the application process.
- However, the company may retain personal data for as long as the employee can take legal action against the company. For example, if the person can appeal against a refusal of a service.
Storage of personal data in a candidate pool for future recruitment
An employer may find it useful to save jobseekers’ personal data in a candidate pool for future recruitment. On the other hand, it is not permissible to rely on the legal basis of legitimate interest. In such cases, the employer must instead obtain valid consent from the job seeker.
Process personal data in skills databases as an employer
A company may have a legitimate interest in processing personal data in competence databases for internal recruitment. For example, what training the employee has completed or what experience they have from previous jobs.
In addition, the company may have a need to process the results of various personality tests or similar that the employee has taken. Please note that this personal data is privacy sensitive and therefore subject to stricter rules under the GDPR.
Carry out a data processing impact assessment
If an employer intends to carry out background checks on employees or potential employees prior to recruitment.
Background checks
If an employer intends to carry out background checks on employees or potential employees prior to recruitment.
Competence databases
If a recruitment company creates a competence database or candidate database.
More about GDPR in the work place
Employers use of biometric data
Biometric data are sensitive personal data. Thus, it is forbidden to process such data according to the general rule in Article 9 of the GDPR, but there are exceptions. Examples of biometric data are facial recognition and when reading a fingerprint. For example, an employer may have a strong reason to use facial recognition for security reasons, and this may be allowed in such cases. Please note that an employer should not use consent as the legal basis for the processing of biometric data, as there is an unequal power relationship between the employer and the employee.